Session Management Using URL Rewritting Instead of Cookies


This article is next in the series of articles about Java Servlet Session management. In this article we will learn about maintaining the client state or session by using URL Rewriting in a Servlet.

A Web container can use several methods to associate a session with a user, all of which involve ing an identifier between the client and server. The identifier can be maintained on the client as a cookie or the Web component can include the identifier in every URL that is returned to the client.

Session Management Using URL Rewriting Instead of Cookies:

In some situations, a browser or wireless device may not accept cookies, which makes session tracking with cookies impossible. URL rewriting provides you with another session tracking alternative. that can be substituted automatically when Server detects that the browser does not accept cookies. URL rewriting involves encoding the session ID into the hyper-links on the Web pages that your servlet sends back to the browser. When the user subsequently clicks these links, Server extracts the ID from the URL address and finds the appropriate HttpSession when your servlet calls the getSession() method.

If your application makes use of session objects, you must ensure that session tracking is enabled by having the application rewrite URLs whenever the client turns off cookies. You do this by calling the response's encodeURL(URL) method on all URLs returned by a servlet. This method includes the session ID in the URL only if cookies are disabled; otherwise, it returns the URL unchanged.
Usually, this technique is used when information that is to be transferred is not very critical because the URL can be intercepted easily during transfer. Given below the example of URL rewriting :


import java.util.Date;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
public class UrlRewritingServ extends HttpServlet
static final String COUNTER_KEY = "Counter.count";
public void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException,IOException
          HttpSession session = req.getSession(
          PrintWriter out = resp.getWriter();
int count = 1;
          String str =
"Url rewriting";
          Integer i = (Integer) session.getAttribute(
if (i != null)
            count = i.intValue() + 1;
COUNTER_KEY, new Integer(count));
"<BODY BGCOLOR=\"yellow\">\n" +
"<H1 ALIGN=\"CENTER\">" + str + "</H1>\n" +
"<H2>Information about Your Session:</H2>\n" +
"<TR BGCOLOR=\"yellow\">\n" +
"  <TH>Info Type<TH>Value\n" +
"<TR>\n" +
"  <TD>Session ID\n" +
"  <TD>" + session.getId() + "\n" +
"<TR>\n" +
"  <TD>Creation Time\n" +
"  <TD>" + new Date(session.getCreationTime()) + "\n" +
"<TR>\n" +
"  <TD>Time of Last Access\n" +
"  <TD>" + new Date(session.getLastAccessedTime()) + "\n" +
"<TR>\n" +
"  <TD>Time out\n" +
"  <TD>" + new Date(session.getMaxInactiveInterval()) + "\n" +
"<TR>\n" +
"</TABLE>\n" +
"</b> Number of Previous Accesses of this page <b>" + count+ "</b> time(s) during this browser session");
          String url = req.getRequestURI();
"<form method=GET action=\"" + resp.encodeURL(url) + "\">");
"<input type=submit " + "value=\"Hit page again\">");
public void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException,IOException
            doGet(req, resp);


<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="" xmlns=""
xmlns:web="" xsi:schemaLocation=""
id="WebApp_ID" version="2.5">

when you run this servlet the output is as follows: 

URL rewritting Ist:


URL rewritting  2nd:


I think this article will be helpful to learn about Session management by URL Rewriting in JAVA.